[Openswan Users] Terminating VPN on the NAT gateway

Simon Deziel simon at xelerance.com
Wed Jun 12 13:07:56 UTC 2013

On 13-06-12 06:20 AM, Binand Sethumadhavan wrote:
> On 11 June 2013 17:58, Binand Sethumadhavan <binand at gmx.net> wrote:
>> I can see in tcpdump that the source IP of packets from BB endpoint to
>> AA endpoint is set to the WAN-side IP of BB. Why is this so?
> This now works for me after I added this iptables rule:
> iptables -t nat -I POSTROUTING -s a.b.c.d -d -j SNAT
> --to-source
> No documentation says such a step is needed. Is there something I am
> missing elsewhere in my config?

In general, it's best to avoid NAT'ing for all IPsec related traffic. I
recommend using this one:

iptables -t nat -I POSTROUTING -m policy --dir out --proto esp -j RETURN


More information about the Users mailing list